You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Open the SmitfraudFix folder and double-click smitfraudfix.cmdSelect option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Edited by SifuMike, 26 November 2006 - 08:00 PM.

If I've saved you time & money, please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

Notes:Do not mouseclick combofix's window while it's running. That may cause it to stall Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

If I've saved you time & money, please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

Don't use the windows start\search featureUsing Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked. If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know. Folders and files with a tilde (~), means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

*NOTE*CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.

In the Windows Tab: • Clean all entries in the "Internet Explorer" section except Cookies. • Clean all the entries in the "Windows Explorer" section. • Clean all entries in the "System" section. • Clean all entries in the "Advanced" section. • Clean any others that you choose.

In the Applications Tab: • Clean all except cookies in the Firefox/Mozilla section if you use it. • Clean all in the Opera section if you use it. • Clean Sun Java in the Internet Section. • Clean any others that you choose.

4. Click the "Run Cleaner" button. 5. A pop up box will appear advising this process will permanently delete files from your system. 6. Click "OK" and it will scan and clean your system. 7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot to the Normal Mode

Disable your antivirus program and go here http://www.bitdefender.com/scan8/ie.html and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee.

When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All then copy/paste that log back here. Post the BitDefender log.

Post a new Hijackthis log, the BitDefender log and tell me how your computer is running.

If I've saved you time & money, please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

Ok so my computer seems to be running ok. The 888 bar is gone but I see that other scan came up with other stuff that is infected. I have seen the same type of infections in the last little while (purityad and softomate). Thanks for your continued assistance!!

I see an exe file called mc2.exe that was created the day I got the virus, I'm guessing this is probably something we should look at? And there is some kind of system volume information file that cannot be accessed or deleted.

Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".

Click the "Download" button to the right.

Check the box that says: "Accept License Agreement".

The page will refresh.

Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Close any programs you may have running - especially your web browser.

Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.

Check any item with Java Runtime Environment (JRE or J2SE) in the name.

Click the Remove or Change/Remove button.

Repeat as many times as necessary to remove each Java versions.

Reboot your computer once all Java components are removed.

Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.

I see an exe file called mc2.exe that was created the day I got the virus, I'm guessing this is probably something we should look at?

If you look at the BitDefender log you will see it is deleted.

And there is some kind of system volume information file that cannot be accessed or deleted.

Dont worry about the system volume info, as that is where the deleted files go. It is isolated from the computer there, as we will delete the System Volume info when we are done cleaning your computer.

It looks like you got a purityscan infection since you last visit. It was not there when we previously did the combofix.

Don't use the windows start\search featureUsing Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked. If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\WINDOWS\system32\m?iexec.exe <==file Be careful NOT to delete the valid msiexec.exe file. The ? can be any letter or number.C:\WINDOWS\system32\jdgxkd.dll <==fileC:\Documents and Settings\Family\Application Data\miob.exe <==file

*******************************************

*NOTE*CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

*******************************************

Reboot to the Normal Mode

Post a new Hijackthis log, the AVG Antispyware log, fresh Hijackthis log and tell me how your computer is running.

Edited by SifuMike, 03 December 2006 - 12:20 AM.

If I've saved you time & money, please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

The Hijackthis Uninstall Manager allows you to manage the entries found in your control panel's Add/Remove Programs list. When cleaning malware from a machine entries in the Add/Remove Programs list invariably get left behind. We will use Uninstall Manager to remove Toolbar 888 entry from your uninstall list.

To access the Uninstall Manager you would do the following:

Start HijackThis Click on the Config button Click on the Misc Tools button Click on the Open Uninstall Manager button.

To delete it, simply click on the Toolbar 888 you would like to remove and then click on the Delete this entry button.

Just to be sure nothing was added run ComboFix and post the log.

If I've saved you time & money, please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.